Privacy & The Internet of Me

I recently attended an industry event where analysts from Gartner and Forrester discussed some of the key industry trends.  They identified two major technology categories:

  1. Wearable Devices – anything from Google Glass to FitBit to RFID tagged clothing
  2. Data Analytics – in particular, those applications and services that present data in a fashion that can be easily consumed by the average business person or consumer –  without the aid of a data scientist or analyst.

The next obvious question asked of the analysts was, “What about privacy?”  In unison, both chimed in that it is the pivotal issue surrounding the success or failure of certain products, services and initiatives in this space.  We agree.

MedConnect

Connected devices provide enormous information about each of us that can be used to help us get more exercise, loose weight, manage our household security, the location of our children and elder parents and even manage chronic diseases more effectively.  This information, if not managed properly can lead to unwanted marketing messages, at best, and pricing or service access discrimination by unscrupulous organizations.  Technologists talk about the opportunity of the Internet of Things (IoT).  From a societal and business policy perspective, the discussion is really about the “Internet of Me” (IoM).

It becomes imperative that users have a choice about the control, use and flow of their personal data.  It also becomes vital that companies who collect and/or use connected device data have clear and unambiguous policies and disclosures about data use.  Remember – pie isn’t free at the truck stop.  There is always a cost – obvious, or hidden.  So before you choose a “free” service over a paid subscription, or finalize your connected device data business plans, take to the time to understand if and how all that “IoM” data will be used.

Identity, Privacy, the Government & Trust

I read a wonderful post today written by Ben Horowitz - The Little Country that Cloud.  The post describes Estonia’s groundbreaking work to use technology in way that builds trust and communications between a government and its populace.

 

As noted in the post, everything has not been perfect, but it does provide hope – and a roadmap – for countries to productively engage its citizenry through the integration of technology and commercial infrastructure built upon trust and respect.   While Estonia, through political upheaval had the opportunity to “re-invent” itself, think of how efficient just our healthcare system could be if we applied even a part of what they have put in place as we build out our e-health initiatives.

 

The future does indeed look bright!

 

Re-Imagining the future of the Web

wpid-images-2013-01-24-16-38.jpeg

Hmmm…

What we do differently if we had the chance to do it all over again? There’s no question that the Internet has ushered in some of the greatest changes of the century. And yet as humans we should ponder the question – What if?

What if in the future, the Web could deliver a richer experience and respect my privacy?

Think about that for a moment. It’s actually a pivotal argument which appears to be an almost impossible problem to solve. The Web has always been synonymous with free. As in free content in return for using your private data to deliver advertising.

After 20 years of using the Web i’ve yet to see an advert that appeals to me on a Web page. It’s like they (the advertisers) know absolutely nothing about me. I’ve often wondered why there isn’t a simple menu option in the browser which allows me to ‘share my personal ad preferences’ with the content provider?

And yet to this day there’s nothing.

The question that no one can imagine asking is how can I share my private data in return for a better experience. There’s currently no ‘Internet of You’ (or Me) and yet with Advertising becoming a limited resource (there’s only so many Web pages for ads) why isn’t someone ‘re-imagining the Web’ to provide a richer more personalized experience?

I define Privacy as the ‘ability to control the collection flow and use of my Private data’. What I want in a re-imagined Web is the ability to control that collection, flow and use in a simple and easy to use manner. And in the act of sharing more value with the content provider in return receive more value in return.

If you go back in time (Innovation, The Internet, Standards And the Arrow of Time – Part I & Part II) you’ll see that the key to unlocking the future is to re-imagine the current. In the examples shown you can see how obvious it is as the arrow of time moves forward.

At 3PMobile we started out re-imagining the future of the Web. It’s one which aligns perfectly with the current Web, and then extends it into the future for those who want something better.

Openness – The Key to Monetizing Mobile

(Or Why I think 3P-Based Infrastructure and Value-Add Channels are Sexy)

Over the past decade, rapid advancements in mobile technology and mobility in general, have changed how we live and how we do business.  It has changed us from an “on-demand” world to an “always connected” world.  No doubt, mobile is here to stay and it is big business; but it’s just getting started.  We are just approaching the point where open standards and open channels can deliver the real benefit of a business ecosystem.

Modern mobility started as a walled garden.  The carriers and handset companies controlled everything due to very real bandwidth constraints, network limitations and industry knowledge.  Voice improved, but data experiences were still lacking.  Good money was made on mostly disconnected enterprise app development for Palm, Blackberry and Windows Mobile devices. Over time, control shifted to the OS companies, where vertically integrated handsets and operating systems were designed to support better consistency in the user experience. Unfortunately, controlling the user experience has lead to more restrictive monetization models, locking out most developers from making meaningful money.  Effectively, we shifted the gatekeepers from the carriers to companies like Apple – but at the expense of the channels that provide value-add functionality and content.  One step forward.  One step backward.

Users appreciated the improved experience, so brought their devices to work.  BYOD was born, and with it, arose app development, security and curation platforms.  Emerging leaders in this space include Adobe, Antenna, Good and Appcelerator, to name a few.  In an effort to simplify and improve profitability, market consolidation is underway. While this may simplify things in the future, it is currently wreaking havoc on IT.  Platforms have added complexity without improving the user experience.

The answer to many of these problems is staring us in the face.  Apple had the original right idea – “the real Web on your mobile phone.”  The infrastructure just wasn’t quite ready back then and the user experience was limited to the user interface – which is a naïve view of modern mobility.  An “app for that” was born and now we are living with the fallout.

Improved bandwidth, ubiquitous connectivity, attention to user experience and now, an emphasis on simplifying security, management and app access are all here – everything needed to lay the groundwork for an incredibly rich mobile ecosystem.  It’s an ecosystem, which can be monetized by the greatest number of development, product and service delivery channels.  We’ve made great strides forward, but in order to realize the monetary benefit throughout the entire ecosystem, a new openness must ensue; the kind of openness that is exemplified by the Web economy.

Just as Microsoft created an open and engaging development community that fueled the PC economy, one, or more of these infrastructure leaders must apply the same model to mobility.  How?

  1. Deliver an exceptional user experience.  Include optimal performance, privacy and security management, and the ability to personalize the experience by device, location and personal preferences.
  2. Include meaningful channel monetization opportunities.  Offer standards-based tools, support and best practice advice for developers, integrators and service providers that can be put to use with existing skills and expertise.
  3. Provide a platform that supports choice.  Choice for both app and Web-based solutions.  Choice that supports both free and paid content.  Choice that supports both consumer and enterprise needs.

Once these three criteria are met, as in industry we no longer have to build walls in the name of bandwidth, user experience, or preserving the “free Web” business model.  With the openness of Web standards, we can increase user choice and satisfaction, while unlocking mobile monetization for the entire ecosystem.  (Although the thoughtful few that move first will reap the biggest benefits).

While most people don’t view infrastructure as sexy, I believe that adding the 3Ps to mobility not only makes infrastructure cool, but also enables new channels and all classes of business to fully monetize mobility.   Now, who in business doesn’t think making money is sexy?!

Definition or Death for DNT?

“One in three Brits is likely to stop using IE10 because of Do Not Track.   

Oh My!  That’s terrible!  But is it really accurate????

I’m a marketer.  I understand how statistics can be modified to support your specific business case.  I also get the value of a great “title” or sound bite.  This one certainly caught my eye.  I can appreciate a good fish tale.  And I understand how the precise wording of a question can skew survey results (would you rather pay $100 or $50 for this service?  Duh!).  I am also a citizen and consumer and I believe that privacy is a right to be protected and that users should have a choice in what data is shared, with whom, and for what purpose.

To that end, I care a lot about what is happening with Do Not Track, and Web privacy, in general.  Like most professionals I know, my self-imposed marketing rope is short, as in the end, you must deliver on what you promise or you’ll hang yourself and drive away customers.  Clarity is important.  Having clear, and agreed to definitions, or a common language is important if you don’t want your customers to be confused or misled.

So when I saw this headline, I was intrigued.  And boy is this one from  The Drum (Modern Marketing and Media) a whopper!  So I just had to read on because this is pretty heady stuff.  Why on earth would 1/3 of the people in Great Britain be so anti-IE10?   The quote that caught my attention was the following:

“According to the research, IE10’s plans to automatically disable tracking would upset some 87 per cent of Brits who favour auto-fill services and more relevant advertising. Of those surveyed 13 per cent stated they wouldn’t allow their browser to retain information, such as passwords, for future use.”

Auto-fill?  Seriously?  Do Not Track (in its current draft) has nothing to do with auto-fill.   It does not stop a website from collecting data from its users – just from sharing it with others without their permission.  And users can easily turn off DNT in IE10, just as easily as they can turn something on or off in any DNT supporting browser.

Now, I can’t say with absolutely certainty that there is some deliberate campaign on the part of certain parties to bash DNT into oblivion, but as a marketer, it sure looks like it to me. I’m sure their data absolutely supports the claims in the article, but the context of the question sure seems off target.  And that context is easily muddied given the lack of clear definition that currently exists within the DNT standards working group.  It’s no wonder that today, the W3C appointed a new chair to the DNT Standards working group – who by the way is more than an a professor.  He also happens to be a privacy attorney, not a technical expert.  Ever read a good contract. What’s the first thing in it – a definition of all terms so their is no ambiguity around anything.

So will it be death or definition for DNT???  

Make no mistakes, the stakes are enormous!

The New G-Men (or Should I Say G-Women) of Privacy

Digital Privacy is a big deal and with the US elections behind us, we can get on with the business at hand – finalizing standards and regulation (or the enforcement thereof) that protect our basic rights to know who is collecting and using our data, how it’s being used AND having greater choice over who and how it is collected.

G-Men

While it’s easy to bash our respective governments, I’d like to call out three government agencies, and the women that lead them, that truly seem to have their citizens’ best interests at heart and are a good use of our taxpayer dollars:  The US Federal Trade Commission (FTC), the European Commission (EU) and the Information Privacy Commissioner, Ontario Canada.  All have been active proponents of increasing transparency, accountability and consumer choice relative to digital data sharing and usage and are encouraging privacy by design principles.

First off, FTC Commissioner Julie Brill has been extremely proactive in the Privacy effort – long before the Obama Privacy Bill of Rights saw the light of day.  Commissioner Brill has not only been driving things back in Washington, D.C., but she has been on the road engaging with businesses, developers, academicians and attorneys to reinforce the importance and urgency of resolving privacy-related issues and encouraging those of us in the web and mobile spaces to design our products based on privacy best practices, not simply some obscure privacy policy hidden away on a site or an about or settings screen.  Key to this is putting privacy choice front and center in any user interface.  I feel fortunate enough to have heard Commissioner Brill speak on two occasions and get her personal opinion on the Do Not Track (DNT) initiative at a recent App Developers Privacy Conference sponsored by the University of Colorado at Boulder.  She is smart and thoughtful and her staff is responsive to enquiries.

While I have not personally met EU Commission Vice President, Neelie Kroes, her statements on privacy are thoughtful and to the point.  She is doing her job, which is to protect the privacy of EU citizens and ensure recent privacy laws are enforced.  This does not mean killing business, but it does mean that businesses are not “more equal” than citizens, just because they have more people or money and speak louder.  As with the FTC, the EU Commission team is open and responsive to enquiries and connecting interested parties whose businesses and lives are affected by the recent privacy regulations.

Lastly, Ontario Information Privacy Commissioner Ann Cavoukian, PhD, and her staff have been equally active in promoting the Privacy by Design concept throughout North American and Europe.  They actively reach out to organizations interested in setting new standards in privacy-centric web and app development and have a wonderful Privacy Ambassadors program for individuals and organizations who proactively promote the need for privacy within their field and utilize privacy by design principals within their organization’s development efforts. (I’m pleased to say my partner, Peter Cranstone has been named a Privacy Ambassador).

Based upon my personal experience, these three agencies, their leaders and their staff actually do something to serve their citizens and protect those rights deemed important by the different countries they represent.  Thank you!

Google joins the Do Not Track Party

wpid-2012-11-06_13-36-46-2012-11-6-13-334.png

Just downloaded the latest version of Chrome and it’s official – Do Not Track is now a Privacy setting. Although you might want to read the disclaimer that shows up when you check the box.

The DNT Rope-a-Dope

Even us folks that don’t follow boxing know the infamous rope-a-dope.  Show them one thing and then deliver another.  The classic, you never saw it coming.  So what does this have to do with Do Not Track?

In theory, the DNT effort of the W3C is about defining the technical standards to support the ability of a user to request that a website not share their information with any other party.  It is in response to consumer, government and privacy advocate’s requests (and EU regulations) to give consumers a deliberate choice in determining how their personal information is used and shared.

Unfortunately, things are not going well, as summarized in this PCWorld article about IE10 Privacy Settings.  But are we really looking at the right things or is all this finger pointing simply a distraction from the real issues?

  1. DNT has no clear definition.  Do Not Track is really Do Not Share, so the name of the standard is misleading.
  2. DNT has a misleading objective.  There is nothing in the standard that prohibits a website from collecting data about its visitors and using that data to deliver personalized content or advertising.
  3. DNT has no teeth.  It is voluntary, so even if a user sets a preference in their browser, the US websites and services are not obligated to honor it.
  4. DNT offers minimal consumer recourse.  The FTC only gets involved if a site or service is not fulfilling it’s commitment to the user.
  5. DNT lacks transparency.  While this is a public forum, most people wouldn’t know where to look for information.  The standard is being used to define the policy, rather than reflect the policy, which means non-obvious exceptions can be built-in.

So whether or not Microsoft has DNT turned on or off by default, or Apple hides it’s selection within the greater “Private Browsing” settings of iOS, so the user is unaware of what they have or haven’t selected, what does it matter?  The standard is a long way away from approval.

So all this hullabaloo about IE10 is a distraction.   DNT has no clear definition and is self-regulated with the biggest wallet at the standards development table being the same organizations who profit the most from tracking.  So while companies point fingers at Microsoft for “not adhering to” a yet to be approved standard, regardless of it’s original intent, DNT is starting to look and feel like the rope-a-dope, with a knock-out blow to privacy.

 

Privacy and the Human in the Loop

wpid-hil-2012-10-17-11-24.jpeg

When considering any system sometimes we forget that there’s a ‘Human in the Loop’. I’ve just finished reading a great white paper by Lori Cranor (A Framework for Reasoning About the Human in the Loop), and whilst this paper talks about security, it’s kissing cousin is Privacy. So a lot of the ideas presented here are interchangeable.

In this paper Lori talks about keeping humans out of the loop when it comes to security unless it’s absolutely unavoidable. In which case she talks about a framework that can be used to identify problem areas before a system is built.

Here are the components in her framework:

  1. Communication: How are you communicating with the user (Notices, Warnings Status lights)?
  2. Communications impediments: Can communications be interfered with (malicious 3rd parties)?
  3. Personal variables: Human behavior and relevant knowledge about the system?
  4. Intentions: Can the system be trusted and are users motivated to take appropriate action?
  5. Capabilities: Are users capable of taking the appropriate action?

So what has all of this got to do with the proposed Do Not Track standard? Well actually, a lot. Systems live and die based on the ‘Human in the Loop’ so if the solution is poorly designed or cannot be trusted there is little chance of it succeeding.

The current proposed Do Not Track standard has an incredibly simple Human Interface. The user goes to the browser menu, selects Privacy and then checks the box marked ‘Ask Web Sites Not To Track Me’. That’s it. That one check box is all the human intervention required. So what could possibly go wrong? Well a lot.

The standard makes it very simple for a user to communicate an intention to a Web server – and then (dare I say it) deliberately removes the need for a Web server to communicate that it ‘acknowledges and understands’ the users intention. Right there is the fatal design flaw. (Image if HTTPS worked this way). A malicious 3rd party can easily change the users intention to an alternative undesired outcome i.e. ‘Track Me’. As there’s no need for the Web server to acknowledge what it received you can easily make the case that it can simply ignore everything and continue as normal. In short there’s NO verification (as in Trust but Verify) required. So Do Not Track fails both item 1 & 2 in the framework.

As we go on we see that there are similar problems with all of the other framework items as well. Humans have really NO idea how their private data is being used on the Web. They love all the FREE services but fail to understand that ‘pie is not free at the truck stop’. Their data is shared in an attempt to market new services to them. So Do Not Track fails item 3.

Lets look at the final two items. Intentions and Capabilities – again we have a ‘swing and a miss’ scenario. If I cannot verify what I sent then I cannot trust the system. I have to trust the content provider and due to the lack of transparency when it comes to privacy (NOT security) the Human has no idea what is really taking place under the covers. Finally – capabilities. Can I take appropriate action IF I find out my privacy is being abused. Not really – I can go to another Web site but that might be the same as jumping from the fire pan in to the fire. I cannot change my browser settings any further so essentially i’m stuck sharing my data if I want that free service.

However the user can fight back – and FaceBook is a good example of that. Approximately 25% of a FaceBook users use a fake profile. That’s 250 million people all lying about who they are. And herein lies (pun intended) the real Privacy issue – where’s the motivation for both parties (Human and Content Provider) to deliver meaningful value?

It’s like everyone is stuck in the mud with the current status quo where everything is free and everything (my privacy) is for sale. The only solution that i’ve seen that comes really, really close to meeting Lori’s framework guidelines is the RePriv idea from Microsoft. Why? Because it adds accountability back into the system.

As the old saying goes – 50% of all advertising is worthless – the trick is in figuring out which 50%. A better designed system as Microsoft proves in the RePriv paper showcases that it can be done and the benefits are significant for the ‘Human in the Loop’.

Re-Envisioning In-Browser Privacy

wpid-eye-2012-10-16-14-435.jpg

I’ve been planning on writing about an alternative approach to In-Browser Privacy. Obviously we’re very much in favor of a better solution than the current Do Not Track standard that’s being offered, and to that end we set out over 6 years ago now to build a fully standards based solution that seamlessly integrates into all current Web infrastructures – we call it Choice®.

So with the idea in mind I set out to do some research to see if anyone else thought that it would be a good idea. And the answer is ‘Yes’. I’m linking to a Microsoft Research Report titled ‘Re-Envisioning In-Browser Privacy’which I think is probably the best paper i’ve seen on the Web that not only showcases a solution, but also clearly shows how powerful a solution would be to drive new value and experiences for the ad industry and consumer alike.

I do disagree with two of their ideas: 1) Build a new browser & 2) Build a new protocol to layer in on top of HTTP – but that’s all.

We designed Choice® to integrate with all existing browsers AND use the current HTTP protocol. This allows seamless integration across all infrastructures. With the exception of those two items we’re in alignment on everything. The value proposition is simply huge – a true win – win for all concerned.

If you’re interested in privacy and want to be ‘part of the solution’ then I urge you to read this. If you want to see it in action then download a copy of Choice® today and see how far we’ve taken the idea.